syzbot

 sign-in | mailing list | source | docs
🐞 Open [106] 🐞 Fixed [1] 🐞 Invalid [166] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in tcp_ack

Status: auto-closed as invalid on 2020/01/18 23:16
Reported-by: syzbot+e23f6a682a69d1555eae@syzkaller.appspotmail.com
First crash: 1698d, last: 1687d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in tcp_ack 30 1687d 1697d 0/1 auto-closed as invalid on 2019/12/19 23:16
upstream KASAN: use-after-free Read in tcp_ack net 68 2362d 2364d 3/26 fixed on 2017/11/28 03:36

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in tcp_ack_probe net/ipv4/tcp_input.c:3293 [inline]
BUG: KASAN: use-after-free in tcp_ack+0x3beb/0x42c0 net/ipv4/tcp_input.c:3715
Read of size 4 at addr ffff8881d65c6a2c by task syz-executor.0/7046

CPU: 1 PID: 7046 Comm: syz-executor.0 Not tainted 4.14.145+ #0
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 tcp_ack_probe net/ipv4/tcp_input.c:3293 [inline]
 tcp_ack+0x3beb/0x42c0 net/ipv4/tcp_input.c:3715
 tcp_rcv_established+0x4a9/0x1610 net/ipv4/tcp_input.c:5556
 tcp_v6_do_rcv+0xcbd/0x10d0 net/ipv6/tcp_ipv6.c:1301
 tcp_v6_rcv+0x20db/0x2ec0 net/ipv6/tcp_ipv6.c:1519
 ip6_input_finish+0x3d6/0x1500 net/ipv6/ip6_input.c:284
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ip6_input+0x1fd/0x320 net/ipv6/ip6_input.c:327
 dst_input include/net/dst.h:468 [inline]
 ip6_rcv_finish+0x148/0x640 net/ipv6/ip6_input.c:71
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ipv6_rcv+0xcf6/0x1bb0 net/ipv6/ip6_input.c:208
 __netif_receive_skb_core+0x13ad/0x2cf0 net/core/dev.c:4477
 __netif_receive_skb+0x66/0x210 net/core/dev.c:4515
 process_backlog+0x1dc/0x640 net/core/dev.c:5197
 napi_poll net/core/dev.c:5598 [inline]
 net_rx_action+0x366/0xcd0 net/core/dev.c:5664
 __do_softirq+0x234/0x9ec kernel/softirq.c:288
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1015
 </IRQ>
 do_softirq.part.0+0x5b/0x60 kernel/softirq.c:332
 do_softirq kernel/softirq.c:324 [inline]
 __local_bh_enable_ip+0xb0/0xc0 kernel/softirq.c:185
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:725 [inline]
 ip6_finish_output2+0x106e/0x1fa0 net/ipv6/ip6_output.c:121
 ip6_finish_output+0x64b/0xb40 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip6_output+0x1dc/0x680 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:462 [inline]
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ip6_xmit+0x10a1/0x1ca0 net/ipv6/ip6_output.c:275
 inet6_csk_xmit+0x298/0x500 net/ipv6/inet6_connection_sock.c:139
 __tcp_transmit_skb+0x18bc/0x2e20 net/ipv4/tcp_output.c:1130
 tcp_transmit_skb net/ipv4/tcp_output.c:1146 [inline]
 tcp_write_xmit+0x510/0x4730 net/ipv4/tcp_output.c:2382
 tcp_sendmsg_locked+0x1522/0x2f50 net/ipv4/tcp.c:1406
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457
 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1de/0x2f0 net/socket.c:1731
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459a09
RSP: 002b:00007f5d56defc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459a09
RDX: 00000000fffffdda RSI: 00000000200000c0 RDI: 0000000000000008
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5d56df06d4
R13: 00000000004c79b8 R14: 00000000004dd418 R15: 00000000ffffffff

Allocated by task 7044:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2800 [inline]
 kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
 kmem_cache_alloc_node include/linux/slab.h:361 [inline]
 __alloc_skb+0xea/0x5c0 net/core/skbuff.c:193
 alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
 sk_stream_alloc_skb+0xf4/0x8a0 net/ipv4/tcp.c:855
 tcp_sendmsg_locked+0xf11/0x2f50 net/ipv4/tcp.c:1301
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457
 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1de/0x2f0 net/socket.c:1731
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 7044:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055
 kfree_skbmem+0x84/0x110 net/core/skbuff.c:607
 sk_wmem_free_skb include/net/sock.h:1416 [inline]
 tcp_remove_empty_skb net/ipv4/tcp.c:929 [inline]
 tcp_remove_empty_skb+0x264/0x320 net/ipv4/tcp.c:923
 tcp_sendmsg_locked+0x1c09/0x2f50 net/ipv4/tcp.c:1435
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457
 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1de/0x2f0 net/socket.c:1731
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

The buggy address belongs to the object at ffff8881d65c6a00
 which belongs to the cache skbuff_fclone_cache of size 456
The buggy address is located 44 bytes inside of
 456-byte region [ffff8881d65c6a00, ffff8881d65c6bc8)
The buggy address belongs to the page:
page:ffffea0007597180 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea0007581000 0000000200000002 ffff8881dab70400 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d65c6900: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
 ffff8881d65c6980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881d65c6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8881d65c6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d65c6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/20 23:15 android-4.14 61a760424681 d96e88f3 .config console log report ci-android-414-kasan-gce-root
2019/09/19 16:37 android-4.14 290dd9dfcbe8 eb940044 .config console log report ci-android-414-kasan-gce-root
2019/09/17 04:15 android-4.14 5d41eafc92c2 51ca0454 .config console log report ci-android-414-kasan-gce-root
2019/09/17 02:27 android-4.14 5d41eafc92c2 51ca0454 .config console log report ci-android-414-kasan-gce-root
2019/09/16 16:29 android-4.14 911452d91654 cb936299 .config console log report ci-android-414-kasan-gce-root
2019/09/16 04:23 android-4.14 f02af7b02c26 32d59357 .config console log report ci-android-414-kasan-gce-root
2019/09/14 19:59 android-4.14 f02af7b02c26 32d59357 .config console log report ci-android-414-kasan-gce-root
2019/09/11 22:15 android-4.14 f02af7b02c26 f4e53c10 .config console log report ci-android-414-kasan-gce-root
2019/09/10 10:59 android-4.14 f02af7b02c26 a60cb4cd .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.